Paul Gardner and Jas Purewal of interactive entertainment law firm Osborne Clarke discuss what data protection means for games businesses and what they need to do about it. This is the first of a two part series.
Tim Berners-Lee once said "data is a precious thing and will last longer than the systems themselves". Collecting and using data is critical to the success of any modern technology business – games businesses included. But recent events in the games and tech industries – from the major Sony/PlayStation security breach to the reported hacking of Square Enix and Codemasters servers – show that guarding data and the systems that hold them is as just as critical.
This article is split in two parts. In this first part, we explain the essentials of data protection and what games businesses need to know about it. In the second part, we'll explain lessons to be learned from the recent security breaches in the games industry.
WHY DOES PROTECTING DATA MATTER?
A year ago, having to worry about data protection was probably pretty low down on any games business' list. The recent mass hacking of the Sony PlayStation Network and Qriocity service, which led to the theft of around 77m personal accounts – the effects of which are still being felt even after PSN resumed service recently – has brought home to everyone the importance of protecting your data. To think otherwise risks ultimately going through some of what Sony is still experiencing: government investigations potentially leading to substantial fines, lawsuits, bad PR and – worst of all – loss of customer trust.
There are other examples, too. Look at the reactions to Google Street View and Buzz (where a $8.5m settlement with the FTC has just been announced), Facebook's privacy policies and Blizzard's Real ID project over the last year or so. In each case, a failure to understand the full importance of data protection and privacy to consumers and regulators caused real problems.
A QUICK GUIDE TO DATA PROTECTION LAW(Note: the following is based on English law, which is pretty similar to European data protection law - but there will be occasional differences. Other countries, e.g. the USA, have different data protection regimes. You will need to think about data protection in every country where you have customers).
Basically, anyone who "processes personal data" must comply with data protection legislation (contained in the Data Protection Act 1998).
What does "processing personal data" mean? If you are collecting data which (on its own or with other data that you could access) could identify a living person then you are collecting personal data. Some examples of what can constitute personal data are: name, age, sex, race, a post or email address.
"Processing" is pretty much any conceivable use of personal data, including viewing it onscreen, copying it, transferring it, even deleting it. Here's some examples of frequent activity in the games industry which could involve processing personal data:
- Customers purchasing a game from or registering it with the developer/publisher
- Customers registering an account for an online game or game community
- Customers registering to join a website, or mailing list
- Running a forum/message board which involves customers providing to you or making public any personal data
- Collecting/storing personal data about your customers, business partners or staff
If you are involved with any of these services, then you are subject to data protection laws. There is no exemption for small businesses – it doesn't matter whether you're an indie developer or a major publisher. Data protection laws apply to anyone who processes personal data (unless you fall into a small group of specific exemptions – which a lawyer can advise you on).
Who is responsible for the data protection obligations? There are three kinds of people who can be involved in personal data. The first is the data subjects (i.e. normal people to whom the personal data belongs). The second are data controllers (those who collect the personal data for their own uses – games business fall into this category). The third are the data processors (some data controllers get third parties to process personal data on their behalf – that's the data processors; more on them later).
Data controllers are responsible for compliance with data protection law. If you commission data collection, then you are responsible for protecting it – not any organisation which collect or process it for you. What do you have to do?
(1) You have to notify your national regulator. In the UK, this is the Information Commissioner's Office (ICO) – generally, a failure to notify ICO that you are processing personal data is a criminal offence. (2) You have to comply with the eight Data Principles:
The eight Data Protection principles set out how data controllers should protect personal data:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. These eight principles are the crux of data protection law: you need to have systems in place to ensure that you comply with them as fully as possible, since failure to do so could lead both to security breaches and regulatory investigation. It's therefore well worth working out how to ensure you comply with these requirements. Here's some key tips to consider:
- You need to have clear internal data protection policies in place to ensure that you know why you are collecting personal data, what you can/can't do with it and when you will destroy it.
- You also need to have easy to understand privacy policies for customers, so that they can understand what, when and how you are collating data, what you're going to do with it and why you need it. Depending on how you collect data (e.g. through cookies) or how you send information to customers (e.g. physical or email marketing materials) then you may well have to deal with additional legal obligations to your customers (basically, you will need to get specific consent from customers).
- Carry out regular audits of your policies and actual performance against them.
- Put a security breach plan in place, so that everyone knows what to do in the event of a security breach (more on that in part 2).
- Destruction is often the best safeguard: review the personal data you are already holding, work out what you actually need and delete the rest.
- Who do you give the personal data to? Data protection law expressly requires you to enter written agreements with third parties to whom you pass personal data that you control – and you may well have to take extra steps if they are outside the European Economic Area.
- Take advice – at the minimum, read the very helpful guidance at the ICO site. Ideally, talk to a friendly lawyer about creating a sensible data protection plan which balances the cost of data protection compliance with actually running a business.
What happens if you don't comply with the data protection requirements? You could face investigation leading to enforcement action and fines by national regulators in the territories in which you operate. Different countries have different levels of regulation – the UK regulator (the ICO) can order businesses to take certain actions and fine them up to £500,000; whereas in France the level of fines goes up to €150,000 for first breaches and €300,000 for further breaches. Plus of course you could face bad PR and difficulties with your customers and business partners.
What if I'm based outside of Europe? It is irrelevant where you are based – if you have operations or equipment on the ground in Europe, you can be subject to European Union law (although the exact laws will depend on where your operations or equipment are located – English data protection law is similar but not the same as say Spanish or German law). So, if you do business in Europe you are well advised to think seriously about compliance with European laws.
In the next part of this feature to go live on Thursday, we'll discuss what recent events like the Sony/PSN hacking can teach us about dealing with security breaches.